Section 3 in The Information Technology (Certifying Authority) Regulations, 2001
3. Terms and conditions of licence to issue Digital Signature Certificate
.-Every licence to issue Digital Signature Certificates shall be granted under the Act subject to the following terms and conditions,namely:-(i)General-(a)The licence shall be valid for a period of five years from the date of issue.(b)The licence shall not be transferable or heritable;(c)The Controller can revoke or suspend the licence in accordance with the provisions of the Act.(d)The Certifying Authority shall be bound to comply with all the parameters against which it was audited prior to issue of licence and shall consistently and continuously comply with those parameters during the period for which the licence shall remain valid.(e)The Certifying Authority shall subject itself to periodic audits to ensure that all conditions of the licence are consistently complied with by it. As the cryptographic components of the Certifying Authority systems are highly sensitive and critical, the components must be subjected to periodic expert review to ensure their integrity and assurance.(f)The Certifying Authority must maintain secure and reliable records and logs for activities that are core to its operations.(g)Public Key Certificates and Certificate Revocation Lists must be archived for a minimum period of seven years to enable verification of past transactions.(h)The Certifying Authority shall provide Time Stamping Service for its subscribers. Error of the Time Stamping clock shall not be more than 1 in 109.(i)The Certifying Authority shall use methods, which are approved by the Controller, to verify the identity of a subscriber before issuing or renewing any Public Key Certificate.(j)The Certifying Authority shall publish a notice of suspension or revocation of any certificate in the Certificate Revocation List in its repository immediately after receiving an authorised request of such suspension or revocation.(k)The Certifying Authority shall always assure the confidentiality of subscriber information.(l)All changes in Certificate Policy and certification practice statement shall be published on the web site of the Certifying Authority and brought to the notice of the Controller well in advance of such publication. However any change shall not contravene any provision of the Act, rule or regulation or madethereunder.(m)The Certifying Authority shall comply with every order or direction issued by the Controller within the stipulated period.(ii)Overall Management and Obligations-(a)The Certifying Authority shall manage its functions in accordance with the levels of integrity and security approved by the Controller from time to time.(b)The Certifying Authority shall disclose information on the assurance levels of the certificates that it issues and the limitations of its liabilities to each of its subscribers and relying parties.(c)The Certifying Authority shall as approved, in respect of security and risk management controls continuously ensure that security policies and safeguards are in place. Such controls include personnel security and incident handling measures to prevent fraud and security breaches.(iii)Certificate and Key Management-(a)To ensure the integrity of its digital certificates, the Certifying Authority shall ensure the use of approved security controls in the certificate management processes, i.e., certificate registration, generation,issuance, publication, renewal, suspension, revocation and archival.(b)The method of verification of the identity of the applicant of a Public Key Certificates shall be commensurate with the level of assurance accorded to the certificate.(c)The Certifying Authority shall ensure the continued accessibility and availability of its Public Key Certificates and Certificate Revocation Lists in its repository to its subscribers and relying parties.(d)In the event of a compromise of the private key the Certifying Authority shall follow the established procedures for immediate revocation of the affected subscribers' certificates.(e)The Certifying Authority shall make available the information relating to certificates issued and/or revoked by it to the Controller for inclusion in the National Repository.(f)The private key of the Certifying Authority shall be adequately secured at each phase of its life cycle, i.e., key generation, distribution, storage, usage, backup, archival and destruction.(g)The private key of the Certifying Authority shall be stored in high security module in accordance with FIPS 140-I level 3 recommendations for Cryptographic Modules Validation List.(h)Continued availability of the private key be ensured through approved backup measures in the event of loss or corruption of its private key.(i)All submissions of Public Key Certificates and Certificate Revocation Lists to the National Repository of the Controller must ensure that subscribers and relying parties are able to access the National Repository using LDAP ver 3 for X.500 Directories.(j)The Certifying Authority shall ensure that the subscriber can verify the Certifying Authority's Public Key Certificate, if he chooses to do so, by having access to the Public Key Certificate of the Controller.(iv)Systems and Operations-(a)The Certifying Authority shall prepare detailed manuals for performing all its activities and shall scrupulously adhere to them.(b)Approved access and integrity controls such as intrusion detection, virus scanning, prevention of denial of service attacks and physical security measures shall be followed by the Certifying Authority for all its systems that store and process the subscribers' information and certificates.(c)The Certifying Authority shall maintain records of all activities and review them regularly to detect any anomaly in the system.(v)Physical, procedural and personnel security-(a)Every Certifying Authority shall get an independent periodic audit done through an approved auditor. Such periodic audits shall focus on the following issues among others:-(i)changes/additions in physical controls such as site location, access, etc.;(ii)re-deployment of personnel from an approved role/task to a new one;(iii)appropriate security clearances for outgoing employees such as deletion of keys and all access privileges;(iv)thorough background checks, etc., during employment of new personnel.(b)The Certifying Authority shall follow approved procedures to ensure that all the activities referred to in (i to (iv) in sub-regulation (a) are recorded properly and made available during audits.(vi)Financial-(a)Every Certifying Authority shall comply with all the financial parameters during the period of validity of the licence, issued under the Act.(b)Any loss to the subscriber, which is attributable to the Certifying Authority, shall be made good by the Certifying Authority.(vii)Compliance Audits-(a)The Certifying Authority shall subject itself to Compliance Audits that shall be carried out by one of the empanelled Auditors duly authorized by the Controller for the purpose. Such audits shall be based on the Internet Engineering Task Force document RFC 2527-Internet X.509 PKI Certificate Policy and Certification Practices Framework.(b)If a Digital Signature Certificate issued by the Certifying Authority is found to be fictitious or that proper identification procedures have not been followed by the Certifying Authority while issuing such certificate, the Certifying Authority shall be liable for any losses resulting out of this lapse and shall be liable to pay compensation as decided by the Controller.
